Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:21

General

  • Target

    941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe

  • Size

    2.6MB

  • MD5

    514f35751c767a1c308307b8ab16582f

  • SHA1

    5b43a258c112ebccb311f32777ccbeaffaa7bbac

  • SHA256

    941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987

  • SHA512

    62d2f0425ec4a306bb35272e3530fd911085df47a384a4f9d729866a36bf56ca671a80ebfa1f192e0272ee7e8f0f0cd1ce5cddf9abcb51caa8a9272382eb7536

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpob

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
    "C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1312
    • C:\IntelprocLU\xdobec.exe
      C:\IntelprocLU\xdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocLU\xdobec.exe

    Filesize

    2.6MB

    MD5

    21d1b072a29a047c71fac3560b291d30

    SHA1

    2442c9ca6a5b801842bb2365dba5c4edf155aa70

    SHA256

    5fbfb46ac0a8df68f1e3eb18a1541f240e6def6fb4272e98c534ad44085cca61

    SHA512

    43dcc24288e69655683ebd33708f1565e1d3cffbee1cc6c08c51aa823ad9d6f5421a050c454165ab5c257a087d5d172000df41c9a805bc8baff9e34ceb080bcd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    43aba280b1b73087d79d41d255020359

    SHA1

    b9843dfeaeb783553c138930c85c61217ebdc146

    SHA256

    3a50833dcab246ca8204789341a9573d07dcd93d312c8d6112f4e557330dc528

    SHA512

    1ca2d1e5dac565f06de05001f941eb5790121c2352e9489c9a5a660317dfcbf0c3578e37cfb5f7d6ffed0b60191028c08abf642421511fe0b2d3ad7342b23fd7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    aafa7fee2bb59dc0ce55ee513f88b478

    SHA1

    6ae78a9fd8e5d7c70aed3c13ef42c6717dba1061

    SHA256

    c18c3adce63f260002cecb9158c2b10ffbae44e43f001b4a59c2bcbd9c60d9d3

    SHA512

    78a15ff8ffda2e09aefe4bd6cdc29417a9b3dd12ad512333d1029189206cb0ad349fea1bc34b3a965bf76e4f9ad01d6251c396d939a7565da1cea13fe767c987

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    7bf2693fc4fdfde66b4591558d3aa677

    SHA1

    e566a8f30ccbb0bb6cf112bf2b875fa6699663a1

    SHA256

    05b48d595ead8521c2c83b2c11c1d81e9e89340bc4c5710697727a07c0f8c6e0

    SHA512

    4683d2f911e254f040f699493c541669b37ae753595029a573f18737331a633dd1caa092e6a6de5509d3e7913952414d1efca44345f702f98f8204ce9b9ae9ce

  • C:\VidSM\boddevec.exe

    Filesize

    609KB

    MD5

    de66a531f652663acd0325e6864ac420

    SHA1

    11216cbe2cde36541239374d7c820c7352499985

    SHA256

    035fa7afe08564ea125d5e445dec01378a06e944a5d70ec1785a30020fe6fb50

    SHA512

    43d01a2a141d40e67220516a5b6c63cf39cc6ccc85905022d91451a17b7f2136a36a9a25248ce0b33ed1e632b7d38b4c2ae326c1c40e12bc5439c00ad29f640a

  • C:\VidSM\boddevec.exe

    Filesize

    2.6MB

    MD5

    c0c52cabbe31afb25a784808c9597412

    SHA1

    5d17e821e2b18c94868ced223dedf8698db09abe

    SHA256

    1e097d541f3dbd4e536e764264c02af2f40730ff5e74422f0c8c8260cce9cd34

    SHA512

    eda8f0f590c615d9aafb02f00203cd80689079628a3f4b17e332a4cd1a521b10d43747c1f73da77de127ec8458821d0e19dc67c980ba7fc25e16da18789c6c95